You hire another administrator who will be responsible for managing all infrastructure-as-a-service (IaaS) deployments in your Azure subscription.
You create a new Azure Active Directory (Azure AD) user account for the new hire. You need to configure the new user account to meet the following requirements:
* Read/write access to all Azure IaaS deployments
* Read-only access to Azure AD
* No access to Azure subscription metadata
Your solution must also minimize your access maintenance in the future.
What should you do?
You should assign the user the Contributor role at the resource group level. Least privilege security means granting users only the scope and degree of access they require, and no more. The Contributor built-in role-based access control (RBAC) role grants the new employee full read/write access at that scope, but does not grant the user any privileges either at the subscription or Azure AD levels.
You should not assign the user the Global administrator directory role. This role assignment allows the new employee full access to Azure AD, which violates the scenario's technical requirements. Also, Azure AD directory roles govern what a user can do within Azure AD and have nothing to do with regard to other Azure service permissions.
You should not assign the user the Owner role at the resource level. The Owner role is most privileged, and its assignment must be strictly controlled. Furthermore, making multiple role assignments at the resource level makes for more difficult and complex administration in the future.
You should not assign the user the Virtual Machine Operator role at the subscription level. This built-in role grants users only the ability to monitor and restart virtual machines (VMs), which is far less privilege than the new hire requires to perform full management of the company's Azure IaaS deployments.